This description is for a Downloader Trojan, which when executed, could further download more malicious components from the web and install them on the victim’s machine.
The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.
Indication of Infection
- Presence of files and registry entries mentioned
- Unpexpected connections to the above mentioned Domains
- Presence of the following autorun.inf file on the root of removable and fixed drives:
Methods of Infection
This malware spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.
Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.
This malware may also be recieved under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
TR/Dldr.Gaat.B [Avira], W32.Changeup [Symantec], W32/Autorun-BFG [Sophos], Win32/AutoRun.VB.RD [Nod32], Worm.Win32.VBNA [Ikarus], Worm.Win32.VBNA.aitt [Kaspersky], Worm:Win32/Vobfus.R [Microsoft]